Re: chroot, scp and security on RedHat 8.0

• Previous message: Seth Arnold: "Re: Red Hat Network updates"
• In reply to: Leland T. Snyder: "chroot, scp and security on RedHat 8.0"
• Next in thread: Stephen Andrew: "RE: chroot, scp and security on RedHat 8.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 4 Mar 2003 12:03:55 -0800
From: Seth Arnold <sarnold@wirex.com>
To: focus-linux@securityfocus.com

On Fri, Feb 28, 2003 at 10:06:29PM -0500, Leland T. Snyder wrote:
> The reply I got told me to use a patch of OpenSSH that implements
> chroot jail if a key file exists in the home directory of the login
> used.

Close. It checks if the user's home in the password database includes
the sequence /./ -- this sequence is essentially a no-op everywhere, so
it is pretty safe for them to use it.

There is also a pam_chroot module. I've suggested the use of this module
instead of the chroot openssh patch to several people, and the only one
who tried it out didn't get it to work. Heh.

> Q1> If the first line of my /etc/profile traps and ignores all events
> (including all user generated break/terminate events). Is there still a way
> to break before the first line of /etc/profile as a user??

This is a race condition, one I strongly avoid you play. Many people
have experienced breaking out of their confined shell scripts with
well-timed interrupts.

> I imagine I can bypass the whole patching of OpenSSH

I strongly recommend the patch approach. The patch is small, clean, easy
to read, and should integrate painlessly into whatever package of
OpenSSH you're running on your system.

chroot environments are difficult to get right. Doing it in a shell
script is asking for trouble. Someone else has already went to the
trouble of patching OpenSSH to do it properly, and the chrootssh patch
has had some review of the final product by interested people.

And, as a final thought -- bind mounting can help. the kernel's
automount daemon can help. And you don't want /proc or any setuid root
programs available in the chroot, as root typically can break out of
chroot without too much hassle.

-- 
Too bad life doesn't have a :q! command.

• application/pgp-signature attachment: stored

• Previous message: Seth Arnold: "Re: Red Hat Network updates"
• In reply to: Leland T. Snyder: "chroot, scp and security on RedHat 8.0"
• Next in thread: Stephen Andrew: "RE: chroot, scp and security on RedHat 8.0"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: CHROOT patch openssh3.4p1 ... > to upgrade to openssh 3.4p1. ... > compiled with the chroot patch. ... Tried compiling with the latest chroot ... (comp.security.ssh) CHROOT patch openssh3.4p1 ... With recent bug found in openssh 3.3 and below, ... compiled with the chroot patch. ... Tried compiling with the latest chroot ... (comp.security.ssh) Re: CHROOT patch openssh3.4p1 ... There's a 3.1p1 compatible patch, ... > to the configure.ac script and has a widget for building new chroot cages. ... that could be of any use for OpenSSH 3.4p1? ... (comp.security.ssh) openssh3.5p1: new functionality added, modifications done ... This is NOT an official or unofficial openssh announcement, patch, release ... secure ftp services for our web content developers. ... there is no server-side control over umask and file permissions. ... I'm running openssh with my patch on my servers, and am quite happy with it. ... (SSH) SUMMARY: Trouble last after SSH + LDAP ... As it turned out this is an issue with OpenSSH 4.3p1. ... Did a make distclean, applied the patch, and rebuilt with no problems. ... authentication against an OpenLDAP server. ... PAM LDAP module 1.80 ... (SunManagers)